Black Arrow Cyber Advisory 30 July 2024 – Secure Boot Bypass identified, 200+ models from various vendors affected by PKFail Vulnerability
Executive summary
A major supply chain vulnerability known as PKFail has been discovered in hundreds of devices from numerous vendors. The flaw, which has been around for the past 12 years, revolves around a test Secure Boot master key. If exploited, it allows an attacker to bypass ‘Secure Boot’, take complete control of affected devices and install malware. Major brands like Acer, Dell, HP, Intel and Lenovo are impacted, with over 200 device models sold by Acer, Dell, Gigabyte, intel and Supermicro specifically affected.
What’s the risk to me or my business?
If successfully exploited attackers can manipulate key databases to bypass secure boot. This could potentially allow attackers to install malware at a BIOS level before booting into Windows or another operating system, steal data or cause operational disruption. This could compromise the confidentiality, integrity, and availability of your organisation’s data. An attacker would need either remote or physical access to a vulnerable device to perform the attack.
What can I do?
To address this, organisations should ensure firmware and BIOS updates are installed which address the weakness, and rekey any affected devices, assume all affected devices are compromised and thoroughly inspect the Key Exchange Key (KEK), Signature Database (db), and Forbidden Signature Database (dbx). The security researchers who first identified the vulnerability have provided a free scanning tool to help identify vulnerable devices.
Technical Summary
The PKFail vulnerability stems from a test Secure Boot "master key" created by American Megatrends International (AMI), intended to be replaced by vendors with secure keys. Many vendors did not replace this key, leaving devices vulnerable. Attackers exploiting this flaw can tamper with the Key Exchange Key (KEK) database, the Signature Database (db), and the Forbidden Signature Database (dbx), bypassing Secure Boot. This allows them to sign and execute malicious code, leading to the deployment of UEFI malware and compromising the device at a fundamental level.
Further information on PKFail vulnerability research and details can be found here:
PKfail: Untrusted Platform Keys Undermine Secure Boot on UEFI Ecosystem (binarly.io)
https://github.com/binarly-io/Vulnerability-REsearch/blob/main/PKfail/BRLY-2024-005.md
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity